Transparent Proxy
A transparent proxy is a server that intercepts network traffic going to and from a service without requiring any changes to the application code. In Kuma, it captures this traffic and routes it to the data plane proxy, allowing Mesh policies to be applied.
Kuma uses iptables and also has experimental support for eBPF to make this possible.
For details on how the transparent proxy works in Kuma, see the Technical Overview.
Kubernetes
In Kubernetes mode, the transparent proxy is automatically set up through the kuma-init
container or Kuma CNI. By default, it intercepts all incoming and outgoing traffic and routes it through the kuma-dp
sidecar container, so no changes to the application code are needed.
Kuma works smoothly with Kubernetes DNS for Services and Pods and provides its own Kuma DNS, which is especially helpful in multi-zone setups for cross-zone service discovery.
In this mode, Kuma requires the transparent proxy to be enabled, so it cannot be turned off.
For more details on using the transparent proxy with Kubernetes, see Transparent Proxy on Kubernetes.
Universal
Using the transparent proxy in Universal mode makes setup easier and enables features that wouldn’t be possible otherwise. Key benefits include:
-
Simplified
Dataplane
resources: You can skip thenetworking.outbound
section, so you don’t have to list each service your application connects to manually. -
Simplified service connectivity: Take advantage of Kuma DNS to use
.mesh
domain names, likehttps://service-1.mesh
, for easy service connections without needinglocalhost
and ports in theDataplane
resource. -
Flexible service addressing: With MeshServices and HostnameGenerators, you can:
- Keep your existing DNS names when moving to the service mesh.
- Give a service multiple DNS names for easier access.
- Set up custom routes, like targeting specific StatefulSet Pods or service versions.
- Expose a service on multiple ports for different uses.
-
Simpler security, tracing, and observability: Transparent proxy makes managing these features easier, with no extra setup required. For more details related to transparent proxy on Universal refer to Transparent Proxy on Universal
For more details on using the transparent proxy with Universal, see Transparent Proxy on Universal.
Transparent proxy with eBPF (experimental)
Starting from Kuma 2.0 you can set up transparent proxy to use eBPF instead of iptables.
To use the transparent proxy with eBPF your environment has to use Kernel >= 5.7
and have cgroup2
available
kumactl install control-plane \
--set "experimental.ebpf.enabled=true" \
| kubectl apply -f-